The RareSkills Book of Zero Knowledge
This is the most programmer-friendly zero knowledge proof tutorial available
The guiding light for the construction of this book is simple: mind-blowing clarity
Table of Contents
Chapter 1: P vs NP
Chapter 2: Arithmetic Circuits
Chapter 3: Finite Fields and Modular Arithmetic
Chapter 4: Set Theory
Chapter 5: Group Theory
Chapter 6: Rings and Fields
Chapter 7: Elliptic Curve Addition
Chapter 8: Elliptic Curves in Finite Fields
Chapter 9: Bilinear Pairings
Chapter 10: Rank 1 Constraint Systems
Chapter 12: Quadratic Arithmetic Programs
Chapter 13: R1CS to QAP in Python
Chapter 14: Encrypted Polynomial Evaluation
Chapter 16: Groth16 Explained
Chapter 17: Circom and Circomlib
Extra Zero Knowledge Proof Material
About this book
This book is not an assortment of ZK topics. It is an opinionated subset about what you need to know to actually code a practical zero knowledge prover and verifier (ZK-SNARK) from scratch.
There is a difference between having conceptual understanding of something and having a concrete understanding. Most reasonably smart people get a conceptual understanding of something after reading a tutorial, but they are still a long way off from doing something useful with that knowledge.
For a mathematician, a concrete understanding happens when they write a proof. For a programmer, a concrete understanding happens when they write functioning code.
The RareSkills Book of Zero Knowledge is heavily geared towards the programmer seeking to obtain a concrete understanding. Our book is full of code snippets and demonstrates the use of actual cryptography libraries. We make use of math notation, but we write it in such a way that translating it to source code is only a small leap.
Groth16 is the algorithm used by tornado cash (and many others) for implementing zero knowledge proofs on-chain. We believe it is an optimal starting point for your learning journey, and our book is the most direct route to fully understanding the algorithm.
Realistic expectations for learning zero knowledge
It’s one thing to learn zero knowledge proofs (few succeed at it), it’s another to successful help other engineers learn the topic. There are very few institutions that have that distinction, and we are proud that RareSkills is one of them. Here’s what we’ve learned:
1. If you haven’t completed a linear algebra class before, you probably do not have the mathematical maturity to really grasp the subject
Just like it isn’t possible to understand “object oriented programming” if you can barely code a calculator, it isn’t possible to understand zero knowledge proofs without a sufficient math background. However, the math needed is nowhere near as advanced as people think it needs to be. “Abstract Algebra” sounds scary, but it isn’t. Our book introduces all the abstract algebra you’ll need. “Finite fields” may sound advanced, but they aren’t.
Nevertheless, a “math light” introduction to zk proofs is an oxymoron. ZK proofs are fundamentally mathematical.
Expertise in linear algebra is not essential, but you should understand what an inner product is, how matrix multiplication works, and what linear dependence is. Bonus points if you understand the relationship between the determinant of a matrix and the product of two square matrices (though this is not essential).
2. Math notation is efficient, you should be reasonably comfortable with it
If you can’t figure out why
is basically a double for-loop, understanding zk proofs will be a challenge
We could have written that as
But note this is a much more verbose way to express it. Our zero knowledge tutorial explains in English the notation, but you need to be able to read it, even if it means copying the formula down with pen and paper to see it piece-by-piece.
Being able to read math notation fluently is not a requirement, but you should be able to translate it without excessive effort.
3. Zero knowledge has a high concentration of straightforward, but unfamiliar topics
Most programmers understand polynomials, but have you ever sat down and wondered why the roots of a product polynomial is the union of the roots of the two polynomials that make up the product? This information is useless most of the time — except when studying zero knowledge proofs. In zero knowledge proofs, straightforward but “useless” math suddenly becomes useful. Because you probably haven’t exercised the part of your brain that relies on this kind of math, it will feel more difficult.
4. It isn’t possible to learn zero knowledge proofs with less than 80 hours of effort, and that is a best case scenario
Although the book is divided into 17 chapters, it’s very unrealistic to grasp the material in 12 days. Each topic is unfamiliar to most programmers, and each topic has a “sink in” period of about a week, assuming you are actively thinking about the concept and writing code to test your knowledge.
We think 12-18 weeks of disciplined self-study is realistic for engineers with sufficient math background.
You need to get your hands dirty with the topic to get an intuition for it — and our book provides plenty of suggestions for how to do that. Just like you cannot learn to code only by reading a book or watching a video, you cannot learn zero knowledge proofs without actually tangling with the math involved.
If you are fresh out of a mathematical undergraduate degree, and were lucky enough to have taken a class on elliptic curves, this book will be a breeze for you. Realistically, we expect less than 5% of our readers fall into that category.
This book is relentlessly practical
Our goal is for you to be able to construct provers and verifiers from scratch. Any knowledge that doesn’t directly aid in this is skipped. Some topics that are discussed at length elsewhere are skipped or delayed in this book. For example, we don’t directly discuss the definitions of completeness and soundness, and we don’t explain what a extractor and simulator are (although we talk extensively about proof forgery, which is related to the above).
Even more surprisingly, interactive oracle proofs and the Fiat-Shamir Transform are not discussed early on, and we don’t directly explain polynomial commitment schemes. You’ve probably seen those discussed at length in other resources, but we intentionally omit them. Why?
These topics are counterproductively theoretical for a zk beginner coming from a programming background.
This does not mean we eschew theory — the first five chapters of the book are all math that we believe is important. We are very opinionated about which theory directly affects practice and which ones only have a long-range effect.
The goal of this book (and bootcamp) is to help you build a prover and verifier from scratch. We believe the above topics, while obviously important for anyone who wants to become an expert, should not be studied too soon. Similarly, we don’t include the common analogies about zero knowledge proofs such as alibaba caves or where’s Waldo, as these don’t help you get any closer to coding something practical.
Our bootcamp is worth it
We are very confident that studying zk proofs with us will shave at least 50 hours off of your learning journey. If you have the technical background and motivation to understand zk proofs, your time is probably quite valuable, so why not make the most of it?
Don’t be too cool for school. Protocol leads and engineering executives at major companies have taking this course, so you’ll be in good company. It isn’t because they aren’t intelligent enough to go through the above material and learn it, it’s because their time is worth hundreds of dollars per hour, so saving (at least) 50 hours is money well spent.
By no means are we saying you cannot learn zk proofs on your own, it is possible, and we believe the RareSkills Book of Zero Knowledge is the best way to do it. That said, it will be considerably faster if you do it with our community and instructors.
Outcomes
One of our students documented his journey implementing the prover and verifier for the Groth16 zero knowledge proof protocol from scratch.
You can see his five part writeup here. You can also see Optimizoor's (Vectorized) implementation here.
Why are you making this free if your bootcamp costs money?
First, if you’re going to pay for our bootcamp, don’t you want some assurance that we are actually capable of teaching the subject?
Second, accelerated learning is personalized, which no tutorial can do. The bootcamp is to help you apply the information effectively, not merely to acquire the information effectively.
What about other resources?
We aren’t the first to attempt to explain this difficult subject. Here are other resources we are aware of that we believe are good quality. Sometimes, seeing the subject from multiple angles is helpful.
-
Why and How zk-SNARK works, (medium version)
-
ZK Learning This is taught from an academic perspective, so it is quite theoretical. However, if you want to dive into the research literature, this is a great starting point. It’s best to have taken other cryptography courses and a course in abstract algebra before using this.
Acknowledgement
This book would not have been possible to create without the financial support of our students (it was not funded by a grant or sponsored by a company), so we are deeply grateful for their participation in our academy.
The time and opportunity cost of creating this book exceeds $130,000 so we hope you find it useful!
Head to the first chapter and get started!